VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-tdx9-auyq-sugr

Essentials
Severities (26)
References (28)
Severity details (25)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-tdx9-auyq-sugr
Aliases	CVE-2025-58056 GHSA-fghv-69vj-qj49
Summary	Netty vulnerable to request smuggling due to incorrect parsing of chunk extensions A flaw in netty's parsing of chunk extensions in HTTP/1.1 messages with chunked encoding can lead to request smuggling issues with some reverse proxies.
Status	Published
Exploitability	0.5
Weighted Severity	6.8
Risk	3.4
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-444	Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58056.json
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2025-58056
cvssv4	2.9	https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding
generic_textual	LOW	https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding
ssvc	Track	https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding
generic_textual	LOW	https://github.com/github/advisory-database/pull/6092
cvssv4	2.9	https://github.com/JLLeitschuh/unCVEed/issues/1
generic_textual	LOW	https://github.com/JLLeitschuh/unCVEed/issues/1
ssvc	Track	https://github.com/JLLeitschuh/unCVEed/issues/1
generic_textual	LOW	https://github.com/netty/netty
cvssv4	2.9	https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284
generic_textual	LOW	https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284
ssvc	Track	https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284
cvssv4	2.9	https://github.com/netty/netty/issues/15522
generic_textual	LOW	https://github.com/netty/netty/issues/15522
ssvc	Track	https://github.com/netty/netty/issues/15522
cvssv4	2.9	https://github.com/netty/netty/pull/15611
generic_textual	LOW	https://github.com/netty/netty/pull/15611
ssvc	Track	https://github.com/netty/netty/pull/15611
cvssv4	2.9	https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49
generic_textual	LOW	https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49
ssvc	Track	https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49
generic_textual	LOW	https://nvd.nist.gov/vuln/detail/CVE-2025-58056
cvssv4	2.9	https://w4ke.info/2025/06/18/funky-chunks.html
generic_textual	LOW	https://w4ke.info/2025/06/18/funky-chunks.html
ssvc	Track	https://w4ke.info/2025/06/18/funky-chunks.html

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58056.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-58056
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58056
		https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding
		https://github.com/github/advisory-database/pull/6092
		https://github.com/JLLeitschuh/unCVEed/issues/1
		https://github.com/netty/netty
		https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284
		https://github.com/netty/netty/issues/15522
		https://github.com/netty/netty/pull/15611
		https://w4ke.info/2025/06/18/funky-chunks.html
1113995		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113995
2392996		https://bugzilla.redhat.com/show_bug.cgi?id=2392996
CVE-2025-58056		https://nvd.nist.gov/vuln/detail/CVE-2025-58056
GHSA-fghv-69vj-qj49		https://github.com/advisories/GHSA-fghv-69vj-qj49
GHSA-fghv-69vj-qj49		https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49
RHSA-2025:17187		https://access.redhat.com/errata/RHSA-2025:17187
RHSA-2025:17298		https://access.redhat.com/errata/RHSA-2025:17298
RHSA-2025:17299		https://access.redhat.com/errata/RHSA-2025:17299
RHSA-2025:17317		https://access.redhat.com/errata/RHSA-2025:17317
RHSA-2025:17318		https://access.redhat.com/errata/RHSA-2025:17318
RHSA-2025:17563		https://access.redhat.com/errata/RHSA-2025:17563
RHSA-2025:17567		https://access.redhat.com/errata/RHSA-2025:17567
RHSA-2025:18028		https://access.redhat.com/errata/RHSA-2025:18028
RHSA-2025:18076		https://access.redhat.com/errata/RHSA-2025:18076
RHSA-2025:21148		https://access.redhat.com/errata/RHSA-2025:21148
RHSA-2026:3102		https://access.redhat.com/errata/RHSA-2026:3102
USN-7918-1		https://usn.ubuntu.com/7918-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58056.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P Found at https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-04T19:09:52Z/ Found at https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P Found at https://github.com/JLLeitschuh/unCVEed/issues/1

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-04T19:09:52Z/ Found at https://github.com/JLLeitschuh/unCVEed/issues/1

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P Found at https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-04T19:09:52Z/ Found at https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P Found at https://github.com/netty/netty/issues/15522

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-04T19:09:52Z/ Found at https://github.com/netty/netty/issues/15522

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P Found at https://github.com/netty/netty/pull/15611

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-04T19:09:52Z/ Found at https://github.com/netty/netty/pull/15611

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P Found at https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-04T19:09:52Z/ Found at https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P Found at https://w4ke.info/2025/06/18/funky-chunks.html

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-04T19:09:52Z/ Found at https://w4ke.info/2025/06/18/funky-chunks.html

Exploit Prediction Scoring System (EPSS)

Percentile	0.26816
EPSS Score	0.00097
Published At	June 5, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T16:24:56.961312+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.netty/netty-codec-http/CVE-2025-58056.yml	38.6.0